HIGH 8.1

CVE-2026-44882: Portainer Kubernetes Authorization Bypass Vulnerability

Portainer Community Edition versions 2.33.0 through 2.33.7 contain an authorization bypass vulnerability in how it proxies requests to Kubernetes clusters. When a user's token validation fails during a security check, the application incorrectly continues processing the request instead of stopping it. This allows an authenticated Portainer user without permission to access a specific Kubernetes cluster to send requests directly to that cluster anyway, circumventing the intended access controls. An attacker must already have a valid Portainer session to exploit this.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weaknesses (CWE)
CWE-863
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33., Portainer proxies requests to Kubernetes clusters through a middleware layer (kubeClientMiddleware) that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missing a return statement — execution continued into the handler with a nil tokenData value. The Kubernetes endpoints sit behind Portainer's outer AuthenticatedAccess bouncer, so an attacker requires a valid Portainer session. However, a user whose secondary token validation fails in kubeClientMiddleware — for example a user without permission to access a given Kubernetes endpoint — would have their request forwarded to the cluster anyway, bypassing the authorization check. The same defect was present in both the CE and EE codebases. This vulnerability is fixed in 2.33.8.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The kubeClientMiddleware component in Portainer handles token validation before forwarding Kubernetes API requests to backend clusters. When the security.RetrieveTokenData function encounters an error during secondary token validation, the middleware writes an HTTP 403 response but omits a return statement. Execution proceeds into the handler with a nil tokenData value, allowing the request to be forwarded to the Kubernetes cluster without proper authorization verification. This affects both Community Edition and Enterprise Edition codebases. The outer AuthenticatedAccess bouncer ensures only users with a valid Portainer session can reach this middleware, limiting the attack surface but not eliminating the risk for insufficiently-permissioned users.

Business impact

An authenticated user who should lack access to a specific Kubernetes cluster managed through Portainer can bypass authorization controls and interact directly with that cluster's API. This could enable unauthorized data exfiltration, workload modification or deletion, credential theft from cluster secrets, or lateral movement to other infrastructure. Organizations relying on Portainer's permission model for multi-tenant Kubernetes environments face elevated risk of privilege escalation and data exposure within their container orchestration platforms.

Affected systems

Portainer Community Edition versions 2.33.0 through 2.33.7 are affected. The vulnerability also exists in the corresponding Enterprise Edition versions within the same range. Systems managing Docker Swarm, Kubernetes, or ACI environments through these Portainer versions are at risk. Mitigation requires upgrading to version 2.33.8 or later.

Exploitability

Exploitation requires an attacker to possess a valid Portainer user account with an active session, limiting this to authenticated insiders or users granted legitimate Portainer access. No network authentication or user interaction is required beyond initial session establishment. The attack is straightforward to execute—any request to a Kubernetes endpoint where the user lacks secondary permissions will trigger the vulnerability. The CVSS 3.1 score of 8.1 (HIGH severity) reflects the high confidentiality and integrity impact despite the requirement for valid credentials.

Remediation

Upgrade Portainer to version 2.33.8 or later, which includes the corrected kubeClientMiddleware logic with proper return statement handling. Organizations should prioritize this patch for any multi-tenant Portainer deployments where users have differentiated access to Kubernetes clusters. Until patching is possible, restrict Portainer access to highly trusted administrators and monitor Kubernetes API audit logs for unexpected or unauthorized requests originating through Portainer.

Patch guidance

Deploy Portainer 2.33.8 or newer across all affected installations. Review your current Portainer version via the web interface (Settings > About) or CLI. Plan patching during a maintenance window to avoid service interruption to running containers. Verify that all container hosts and Kubernetes clusters remain accessible and operational post-upgrade by testing workload deployment and cluster connectivity through the Portainer UI.

Detection guidance

Monitor Portainer access logs for requests to Kubernetes endpoints by users or roles that should not have permission to those endpoints. Inspect Kubernetes API audit logs for requests that originated through Portainer's proxy layer with authorization errors or unexpected access patterns. Check Portainer's middleware and authentication logs for 403 responses followed by subsequent successful requests in quick succession, which may indicate exploitation. Use network intrusion detection to flag API requests from Portainer to Kubernetes clusters from unexpected service accounts or with suspicious patterns.

Why prioritize this

Although exploitation requires a valid Portainer session, this vulnerability enables privilege escalation within container orchestration environments. Kubernetes access often grants broad capabilities over production infrastructure. Organizations with multi-tenant Portainer deployments should prioritize this patch immediately. Less critical for single-administrator deployments but still important to address promptly given the high CVSS score and the sensitivity of Kubernetes cluster access.

Risk score, explained

The CVSS 3.1 score of 8.1 reflects HIGH severity due to high impact on confidentiality and integrity of Kubernetes resources. The attack vector is network-accessible, requires low complexity, and demands only low privileges (a valid Portainer session) with no user interaction. The scope is unchanged and availability is not impacted. The score appropriately reflects the practical risk: authenticated users can escalate their privileges within managed clusters, but exploitation is limited to those already holding some form of Portainer access.

Frequently asked questions

Can an attacker exploit this without a Portainer account?

No. The vulnerability requires an authenticated Portainer session. The outer AuthenticatedAccess bouncer enforces user login before requests reach the vulnerable middleware. However, any user with a valid Portainer account—including those with limited permissions—can potentially exploit this to access Kubernetes clusters they should not reach.

Does this affect Kubernetes clusters outside of Portainer's management?

No. Only Kubernetes clusters proxied through the affected Portainer instance are at risk. Kubernetes clusters accessed directly or through other platforms are unaffected. However, if a cluster is managed by Portainer, the authorization bypass allows attackers to interact with that cluster's full API.

What should I do if I cannot patch immediately?

Limit Portainer access to administrators and trusted users only. Review and audit existing Kubernetes permissions within your Portainer configuration. Monitor Kubernetes API audit logs and Portainer access logs for suspicious activity. Consider blocking or restricting the affected Portainer version from managing critical production Kubernetes clusters until patching is complete.

Is there a workaround that avoids patching?

No reliable workaround exists. The vulnerability is a logic error in the authorization middleware that cannot be safely compensated for at the network or configuration level. Patching to version 2.33.8 or later is the only remediation.

This analysis is provided for informational purposes and reflects the vulnerability description and CVSS assessment as published. Organizations should verify all patch versions and availability through official Portainer vendor documentation and security advisories. Testing in non-production environments is strongly recommended before deploying patches to production systems. SEC.co does not provide legal or compliance advice; consult your organization's security and compliance teams regarding remediation timelines and risk tolerance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).